UHC/Change Healthcare Hack Sows Negative Ripple Effects From a ‘Single Point’ of Failure

UnitedHealthcare building

There’s a metaphor here — somewhere. A butterfly flaps its wings, a hurricane ensues. A rock in a pond sets waves in motion that reach distant shores.

Find your own illustrative scenario here, but weeks after a cyberattack on Change Healthcare, a billing and payments unit owned by UnitedHealthcare, hit the headlines, the impact lingers.

As reported at the end of last month, a “network interruption” was disclosed by Change Healthcare. As a casualty of the outage, several pharmacies reported that they could not process prescriptions through patients’ insurance and billing/payment activities wound up being hobbled. The ultimate pain, we note, is borne by the patients and the hospitals and the other providers serving those patients — and prescription medication, of course, is never a “nice to have.” Quite often, medication is a necessity.

The Fallout Continues

More recently, as of this week — and spotlighting just how impactful a hack can be — UnitedHealth stated that critical services are back online that have allowed more than 9 million prescriptions to be filled. Separately, hackers said this week that the healthcare giant had paid $22 million in ransomware to get data back and systems up and running.

For the providers themselves, not being able to get paid on time has been a significant challenge, where The New York Times reported anecdotes of doctors and hospitals borrowing money to help ensure that their operating costs, such as payroll, could be satisfied.

The American Hospital Association (AHA) reported in tandem with the news about the hack that “the reported interruption could have significant cascading and disruptive effects on revenue cycle, certain health care technologies and clinical authorizations provided … across the health care sector.”

By attacking the billing and payment operations — the point of connectivity that ties all the far-flung stakeholders together — it seems that the bad actors have exploited a “single point of failure” for significant gain.  Payments, after all (and the data that is tied to the payers/payees), are what keeps the services provided, keeps the providers in business, and helps make sure that patients get the care they need (and reimbursed, too).

Girding for the Next Time?

It’s important to note that attacking the processor — and thus the process of the data and payments flow, and continuity of care — has wrought damage to the healthcare ecosystem that is taking, and will take, significant time to fix. Healthcare, like any other segment of the economy, has its own supply chains. And any supply chain needs to have backups, redundancies and emergency measures in place. Per the AHA: “Organizations should use this opportunity to test the security, redundancy and resiliency of their network and data backups ensuring they remain offline. AHA recommends backup technology which renders the backups ‘immutable’ — unable to be deleted, altered or encrypted.”